Analysis: Websites struggling for legal recourse for DoS attacks

Websites blocked by ISPs when under a distributed denial of service attack (DDoS) face millions of pounds in lost business because ISPs refuse to take responsibility for hosting infected computers on their networks.

Typically, a distributed denial of service attack relies on an attacker remotely controlling numerous and widely distributed computers infected by viruses and Trojans. The attacker uses these 'botnets' to send a flood of requests to a website, which is often unable to cope and its servers fail, taking the website offline.

It's a relatively simple and cheap operation for the attacker. Keith Laslop, President of DDOS mitigation outfit Prolexic told us: 'I've seen them on forums where you can hire bots for next to nothing. Four cents a bot. So you could take down a site very cheaply. You could get enough together for, say, a 50Mbits DDOS attack. You could take someone out with that.'

DOS attacks are also becoming increasingly common. During the first six months of 2006, Symantec observed an average of 6,110 DoS attacks per day.

When an ISP sees this huge amount traffic aimed at one URL, the response can often be to block access to the target site.

However, the ISPs don't do anything about the infected computers of their own subscribers that are sending the flood of data in the first place. The result is that ISPs block access to, and therefore business from, websites targeted in this way.

Chris Tolson, Infrastructure Manager at a large online gambling company, told us his business is often targeted by DDOS attacks directed through a number of ISPs around the globe, including Comcast in the US. 'The Comcast issue is slightly different (and not specific to this ISP) and a result of sustaining a large scale DDOS attack that Comcast PCs are taking part in... Basically Comcast see large amounts of traffic saturating their ADSL lines and core routers due to their customers' PCs being compromised and used as part of the source of the attack on a gaming company like ourselves. The easiest way they can resolve this is to black hole the destination of all this traffic ie the gaming site. However, what they should really be doing is identifying all their customers that are infected by this zombie virus and cleaning up their network. The net affect of this is that all Comcast customers can no longer get to the gaming site even after the attack has finished and it is the IT manager's responsibility to try and get this ACL [access control list] lifted by phoning the offending ISP.'

Often such attacks are based around extortion attempts and, in order for them to be successful, they are often timed around events critical to the target website. In the case of the gambling industry, key sporting events such as horse races are often preceded by extortion threats of DDOS attacks. And a site taken off-air in the build-up to these events isn't doing business. In fact it's haemorrhaging money.

Tolson told us: '[It] obviously depends on the size of the ISP and how many of their customers are our customers, but a figure out of the air for someone like BT or Claranet (neither have ever black-holed us) could be, over a weekend period, something like 1 million to 5 million in gross bets taken (our profitability depends on the outcomes of those bets taken)'.

Those kind of losses make a business look at its options. Tolson said: 'Going to court over this is definitely an interesting proposition'.

The problem is that there is little legal recourse available. The UK Computer Misuse Act has been updated to make DOS attacks a specific crime, but there's nothing mandating an ISP's responsibility regarding identifying the IP addresses of zombie computers or dealing with traffic sent through them.

Andrew Katz, of Moorcrofts Corporate Law, told us: 'The law finds it difficult to deal with DDOS attacks. One issue which occurs is that by starting to block the IPs of zombies, the ISPs may be accepting legal responsibility for any issues which arise in the future. I would expect that the ISPs would say that their job is limited to delivering packets to and from the Internet to the relevant client IP addresses, and that was that, unless they had specifically accepted any other obligations (e.g. virus scanning). So I would have thought it would be difficult to claim against the ISPs in question for delivering the DDOS packets. Whether [the site] has a claim against them for blocking access to it is a different matter.

'Interestingly, if the contract between the third party ISP and its customer had a clause saying "It is our job to deliver packets to the appropriate IP addresses" and there was no "Rights of Third Parties" clause in the agreement, even though the gambling site was not a party to that agreement, they could claim under the agreement that they had a right to have legitimately addressed packets delivered to it, as a consequence of the Contracts (Rights of Third Parties) Act. But I've never heard of anyone trying to use the legislation this way before.'

However, the terms and conditions of Orange and BT contracts, for example, don't make any promise to deliver legitimate packets to an IP destination, but simply to offer a connection.

Struan Robertson, a corporate lawyer who edits law firm Pinsent Masons' site, told us that as well as considering the contract terms, industry best practice is also a benchmark against which the behaviour of ISPs can be judged, and potentially be found negligent. 'If you can establish that no reasonable ISP would have done the same thing, then you might be able to sue for damages,' he said.